RELEASE NOTES & SECURITY REPORTS

This is the 2026 AI coding security report. It is built on 1,812 firehose events drained across 7.5 days (May 6 → May 13, 2026), every claim …

The week vibe-coding security broke into mainstream press. RedAccess scanned 380,000 publicly accessible apps built with Lovable, Base44, …

May 2026 was the month the defender side of vibe-coding security finally shipped. Replit pushed out Security Agent and Workspace Security …

The week of April 28 to May 5, 2026 turned every previous thread in vibe-coding security into something with teeth. Replit’s CEO …

Most security scanners are built for code from 2018. The AI-codegen apps shipping in 2026 are a different shape, fail in different ways, and …

If your AI-generated app passes Snyk, Semgrep, and the Claude Code or Codex review skill, you have proof that the code in your repo is …

Three stories defined vibe-coding security between April 28 and April 30, 2026: Apple’s quiet enforcement push against vibe-coding …

380,000

Vibe-coded assets RedAccess found publicly accessible (Lovable, Base44, Replit, Netlify)

5,000

Of those exposing genuinely sensitive …

Five stories shaped vibe-coding security between April 24 and April 28, 2026: Wiz’s Red Agent + AI-BOM launch at Google Cloud Next, …

Five stories shaped vibe-coding security between April 16 and April 23, 2026: a 48-day Lovable chat-history exposure, an Anthropic MCP …

Snyk scanned 3,984 agent skills: 13.4% had critical security issues, 76 were malicious payloads. A March 2026 arXiv paper tested MCP clients …

A non-coder shipped a beauty app with Claude Code. Her blog has a whole section teaching RLS via apartment analogy. When beauty bloggers are …

Vercel confirmed a breach. Entry point: a third-party AI tool (Context.ai) an employee was using — attackers owned the tool, then his Google …

Security researchers prompt-injected AI coding agents from Anthropic, Google, and Microsoft integrated into GitHub Actions and walked out …

Lovable ($6.6B valuation) just shipped a BOLA. Change a project ID in the URL, free account, pull anyone’s entire source tree. .env …

Kiro IDE’s pitch: force docs upfront, scan on save, “eliminate vibe-based coding errors.” Translation: vibe coders ship …

DeepKeep just launched “Vibe AI Red Teaming” — human-in-the-loop attacks on AI apps and agents. CTO: “Just as vibe coding …

Z3-verified study: AI coding assistants generate vulnerable code 55.8% of the time. Semgrep/Bandit/CodeQL catch 2.2%. Security prompts move …

Lovable just announced built-in penetration testing powered by Aikido Security. At $100 per test, it’s a fraction of traditional …

Apple removed “Anything” — a $100M vibe coding app — from the App Store and blocked updates for Replit and Vibecode. The AI …

Windsurf’s Cascade and agentic flows let you build full-stack apps fast. But the AI-generated code ships with security blind spots …

GitHub Copilot is the most widely used AI coding assistant. But studies show a significant percentage of its suggestions contain security …

Firebase Studio makes it easy to build full-stack apps with Google’s AI. But the generated Firestore rules and Cloud Functions often …

18,697

User records exposed in one app

170+

Databases fully exposed out of 1,645 scanned

90%

Of audited apps share same 5 vulnerabilities …

Test Your Cursor Project Now

Enter your deployed app URL to check for security vulnerabilities in Cursor-generated code

Quick fact: …

If you searched for “Vibe Eval” and landed here wondering about multimodal AI benchmarks, you’re in the wrong place.** …

VibeEval is your go-to tool for catching bugs, securing your code, and stress-testing your vibe-coded apps built with tools like Lovable and …

VibeEval is your go-to tool for catching bugs, securing your code, and stress-testing your vibe-coded apps built with tools like Lovable, …